[FS#943] iptables 1.6.1 ignores locks
LEDE Bugs
lede-bugs at lists.infradead.org
Tue Aug 1 02:31:58 PDT 2017
A new Flyspray task has been opened. Details are below.
User who did this - Charlemagne Lasse (charlemagnelasse)
Attached to Project - LEDE Project
Summary - iptables 1.6.1 ignores locks
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To -
Operating System - All
Severity - High
Priority - Very Low
Reported Version - Trunk
Due in Version - Undecided
Due Date - Undecided
Details - Just flashed a device with the current snapshot of LEDE (https://downloads.lede-project.org/snapshots/targets/ar71xx/generic/; r4657-bb4d500). And then I've wanted to use locking with iptables but noticed that the lock was just not working:
root at LEDE:/# strace iptables -w -L
...
open("/run/xtables.lock", O_RDONLY|O_CREAT|O_LARGEFILE, 0600) = -1 ENOENT (No such file or directory)
socket(AF_INET, SOCK_RAW, IPPROTO_RAW) = 3
fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
getsockopt(3, SOL_IP, IPT_SO_GET_INFO, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [84]) = 0
...
The lock was basically ignored and the socket was opened without the lock opened. The package is missing following things:
* change https://git.netfilter.org/iptables/commit/?id=836846f0d747e1be8e37d2d43b215a68b30ea1a9
* change https://git.netfilter.org/iptables/commit/?id=b91af533f4da15854893ba5cc082e1df6bcf9a97
* change https://git.netfilter.org/iptables/commit/?id=80d8bfaac9e2430d710084a10ec78e68bd61e6ec
* iptables Makefile change to add following configure option: --xt-lock-name=/var/lock/xtables.lock
It is not save to use multiple (writing) iptables processes without locking. It is therefore a rather big problem that it is broken at the moment
More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=943
More information about the lede-bugs
mailing list